Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package libsndfile this upload backports fixes for a number of security-related bugs (CVE-2017-7742, CVE-2017-8361 CVE-2017-8362 CVE-2017-8363 CVE-2017-8365) from upstream. since libsndfile is a widely used library for reading/writing soundfiles of many formats, security issues affect quite a number of ordinary desktops. unblock libsndfile/1.0.27-3 -- System Information: Debian Release: 9.0 APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
diff -Nru libsndfile-1.0.27/debian/changelog libsndfile-1.0.27/debian/changelog --- libsndfile-1.0.27/debian/changelog 2017-04-04 15:33:45.000000000 +0200 +++ libsndfile-1.0.27/debian/changelog 2017-05-28 22:52:39.000000000 +0200 @@ -1,3 +1,24 @@ +libsndfile (1.0.27-3) unstable; urgency=medium + + * Mentioned CVEs fixed by fix_bufferoverflows.patch + (CVE-2017-7741, CVE-2017-7586, CVE-2017-7585) + * Backported patch for error handling of malicious/broken FLAC files + (CVE-2017-7742, CVE-2017-7741, CVE-2017-7585) + (Closes: #860255) + * Backported patch to fix buffer read overflow in FLAC code + (CVE-2017-8362) + (Closes: #862204) + * Backported patches to fix memory leaks in FLAC code + (CVE-2017-8363) + (Closes: #862203) + * Backported patch to fix buffer overruns in FLAC-code + (CVE-2017-8365, CVE-2017-8363, CVE-2017-8361) + (Closes: #862205, #862203, #862202) + + * Added Vcs-* stanzas to d/control + + -- IOhannes m zmölnig (Debian/GNU) <umlae...@debian.org> Sun, 28 May 2017 22:52:39 +0200 + libsndfile (1.0.27-2) unstable; urgency=medium * Backported fixes for buffer-write overflows from 1.0.28. diff -Nru libsndfile-1.0.27/debian/control libsndfile-1.0.27/debian/control --- libsndfile-1.0.27/debian/control 2017-04-04 15:33:45.000000000 +0200 +++ libsndfile-1.0.27/debian/control 2017-05-28 22:52:39.000000000 +0200 @@ -9,6 +9,8 @@ libasound2-dev [linux-any] Standards-Version: 3.9.8 Homepage: http://www.mega-nerd.com/libsndfile/ +Vcs-Git: https://anonscm.debian.org/git/collab-maint/libsndfile.git +Vcs-Browser: https://anonscm.debian.org/git/collab-maint/libsndfile.git Package: libsndfile1-dev Section: libdevel diff -Nru libsndfile-1.0.27/debian/patches/CVE-2017-7742.patch libsndfile-1.0.27/debian/patches/CVE-2017-7742.patch --- libsndfile-1.0.27/debian/patches/CVE-2017-7742.patch 1970-01-01 01:00:00.000000000 +0100 +++ libsndfile-1.0.27/debian/patches/CVE-2017-7742.patch 2017-05-28 22:52:39.000000000 +0200 @@ -0,0 +1,89 @@ +Description: more fixes for FLAC error handling + fixes CVE-2017-7742, CVE-2017-7741, CVE-2017-7585 +Author: Eric de Castro Lopo +Origin: upstream +Applied-Upstream: https://github.com/erikd/libsndfile/commit/60b234301adf258786d8b90be5c1d437fc8799e0 +Last-Update: 2017-05-28 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- libsndfile.orig/src/flac.c ++++ libsndfile/src/flac.c +@@ -68,9 +68,9 @@ + unsigned bufferpos ; + + const FLAC__Frame *frame ; +- FLAC__bool bufferbackup ; + + unsigned compression ; ++ + } FLAC_PRIVATE ; + + typedef struct +@@ -187,10 +187,9 @@ + + if (pflac->ptr == NULL) + { /* +- ** Not sure why this code is here and not elsewhere. +- ** Removing it causes valgrind errors. ++ ** This pointer is reset to NULL each time the current frame has been ++ ** decoded. Somehow its used during encoding and decoding. + */ +- pflac->bufferbackup = SF_TRUE ; + for (i = 0 ; i < channels ; i++) + { + if (pflac->rbuffer [i] == NULL) +@@ -206,6 +205,11 @@ + + len = SF_MIN (pflac->len, frame->header.blocksize) ; + ++ if (pflac->remain % channels != 0) ++ { psf_log_printf (psf, "Error: pflac->remain %u channels %u\n", pflac->remain, channels) ; ++ return 0 ; ++ } ; ++ + switch (pflac->pcmtype) + { case PFLAC_PCM_SHORT : + { short *retpcm = (short*) pflac->ptr ; +@@ -381,7 +385,6 @@ + pflac->frame = frame ; + pflac->bufferpos = 0 ; + +- pflac->bufferbackup = SF_FALSE ; + pflac->wbuffer = buffer ; + + flac_buffer_copy (psf) ; +@@ -906,11 +909,19 @@ + static unsigned + flac_read_loop (SF_PRIVATE *psf, unsigned len) + { FLAC_PRIVATE* pflac = (FLAC_PRIVATE*) psf->codec_data ; ++ FLAC__StreamDecoderState state ; + + pflac->pos = 0 ; + pflac->len = len ; + pflac->remain = len ; + ++ state = FLAC__stream_decoder_get_state (pflac->fsd) ; ++ if (state > FLAC__STREAM_DECODER_END_OF_STREAM) ++ { psf_log_printf (psf, "FLAC__stream_decoder_get_state returned %s\n", FLAC__StreamDecoderStateString [state]) ; ++ /* Current frame is busted, so NULL the pointer. */ ++ pflac->frame = NULL ; ++ } ; ++ + /* First copy data that has already been decoded and buffered. */ + if (pflac->frame != NULL && pflac->bufferpos < pflac->frame->header.blocksize) + flac_buffer_copy (psf) ; +@@ -919,8 +930,13 @@ + while (pflac->pos < pflac->len) + { if (FLAC__stream_decoder_process_single (pflac->fsd) == 0) + break ; +- if (FLAC__stream_decoder_get_state (pflac->fsd) >= FLAC__STREAM_DECODER_END_OF_STREAM) ++ state = FLAC__stream_decoder_get_state (pflac->fsd) ; ++ if (state >= FLAC__STREAM_DECODER_END_OF_STREAM) ++ { psf_log_printf (psf, "FLAC__stream_decoder_get_state returned %s\n", FLAC__StreamDecoderStateString [state]) ; ++ /* Current frame is busted, so NULL the pointer. */ ++ pflac->frame = NULL ; + break ; ++ } ; + } ; + + pflac->ptr = NULL ; diff -Nru libsndfile-1.0.27/debian/patches/CVE-2017-8362.patch libsndfile-1.0.27/debian/patches/CVE-2017-8362.patch --- libsndfile-1.0.27/debian/patches/CVE-2017-8362.patch 1970-01-01 01:00:00.000000000 +0100 +++ libsndfile-1.0.27/debian/patches/CVE-2017-8362.patch 2017-05-28 22:52:39.000000000 +0200 @@ -0,0 +1,42 @@ +Description: fixed yet another buffer read overflow in FLAC code + CVE-2017-8362 +Author: Erik de Castro Lopo +Origin: upstream +Applied-Upstream: https://github.com/erikd/libsndfile/commit/ef1dbb2df1c0e741486646de40bd638a9c4cd808 +Last-Update: 2017-05-28 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- libsndfile.orig/src/flac.c ++++ libsndfile/src/flac.c +@@ -169,6 +169,14 @@ + const int32_t* const *buffer = pflac->wbuffer ; + unsigned i = 0, j, offset, channels, len ; + ++ if (psf->sf.channels != (int) frame->header.channels) ++ { psf_log_printf (psf, "Error: FLAC frame changed from %d to %d channels\n" ++ "Nothing to do but to error out.\n" , ++ psf->sf.channels, frame->header.channels) ; ++ psf->error = SFE_FLAC_CHANNEL_COUNT_CHANGED ; ++ return 0 ; ++ } ; ++ + /* + ** frame->header.blocksize is variable and we're using a constant blocksize + ** of FLAC__MAX_BLOCK_SIZE. +@@ -202,7 +210,6 @@ + return 0 ; + } ; + +- + len = SF_MIN (pflac->len, frame->header.blocksize) ; + + if (pflac->remain % channels != 0) +@@ -436,7 +443,7 @@ + { case FLAC__METADATA_TYPE_STREAMINFO : + if (psf->sf.channels > 0 && psf->sf.channels != (int) metadata->data.stream_info.channels) + { psf_log_printf (psf, "Error: FLAC stream changed from %d to %d channels\n" +- "Nothing to be but to error out.\n" , ++ "Nothing to do but to error out.\n" , + psf->sf.channels, metadata->data.stream_info.channels) ; + psf->error = SFE_FLAC_CHANNEL_COUNT_CHANGED ; + return ; diff -Nru libsndfile-1.0.27/debian/patches/CVE-2017-8365.patch libsndfile-1.0.27/debian/patches/CVE-2017-8365.patch --- libsndfile-1.0.27/debian/patches/CVE-2017-8365.patch 1970-01-01 01:00:00.000000000 +0100 +++ libsndfile-1.0.27/debian/patches/CVE-2017-8365.patch 2017-05-28 22:52:39.000000000 +0200 @@ -0,0 +1,50 @@ +Description: fixing buffer read/write overruns in FLAC-code + CVE-2017-8365, CVE-2017-8363, CVE-2017-8361 +Author: Erik de Castro Lopo +Origin: upstream +Applied-Upstream: https://github.com/erikd/libsndfile/commit/fd0484aba8e51d16af1e3a880f9b8b857b385eb3 +Last-Update: 2017-05-28 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- libsndfile.orig/src/common.h ++++ libsndfile/src/common.h +@@ -709,6 +709,7 @@ + SFE_FLAC_INIT_DECODER, + SFE_FLAC_LOST_SYNC, + SFE_FLAC_BAD_SAMPLE_RATE, ++ SFE_FLAC_CHANNEL_COUNT_CHANGED, + SFE_FLAC_UNKOWN_ERROR, + + SFE_WVE_NOT_WVE, +--- libsndfile.orig/src/flac.c ++++ libsndfile/src/flac.c +@@ -435,6 +435,19 @@ + + switch (metadata->type) + { case FLAC__METADATA_TYPE_STREAMINFO : ++ if (psf->sf.channels > 0 && psf->sf.channels != (int) metadata->data.stream_info.channels) ++ { psf_log_printf (psf, "Error: FLAC stream changed from %d to %d channels\n" ++ "Nothing to be but to error out.\n" , ++ psf->sf.channels, metadata->data.stream_info.channels) ; ++ psf->error = SFE_FLAC_CHANNEL_COUNT_CHANGED ; ++ return ; ++ } ; ++ ++ if (psf->sf.channels > 0 && psf->sf.samplerate != (int) metadata->data.stream_info.sample_rate) ++ { psf_log_printf (psf, "Warning: FLAC stream changed sample rates from %d to %d.\n" ++ "Carrying on as if nothing happened.", ++ psf->sf.samplerate, metadata->data.stream_info.sample_rate) ; ++ } ; + psf->sf.channels = metadata->data.stream_info.channels ; + psf->sf.samplerate = metadata->data.stream_info.sample_rate ; + psf->sf.frames = metadata->data.stream_info.total_samples ; +--- libsndfile.orig/src/sndfile.c ++++ libsndfile/src/sndfile.c +@@ -245,6 +245,7 @@ + { SFE_FLAC_INIT_DECODER , "Error : problem while initialization of the flac decoder." }, + { SFE_FLAC_LOST_SYNC , "Error : flac decoder lost sync." }, + { SFE_FLAC_BAD_SAMPLE_RATE, "Error : flac does not support this sample rate." }, ++ { SFE_FLAC_CHANNEL_COUNT_CHANGED, "Error : flac channel changed mid stream." }, + { SFE_FLAC_UNKOWN_ERROR , "Error : unknown error in flac decoder." }, + + { SFE_WVE_NOT_WVE , "Error : not a WVE file." }, diff -Nru libsndfile-1.0.27/debian/patches/fix_bufferoverflows.patch libsndfile-1.0.27/debian/patches/fix_bufferoverflows.patch --- libsndfile-1.0.27/debian/patches/fix_bufferoverflows.patch 2017-04-04 15:33:45.000000000 +0200 +++ libsndfile-1.0.27/debian/patches/fix_bufferoverflows.patch 2017-05-28 22:52:39.000000000 +0200 @@ -1,9 +1,10 @@ Description: fixes buffer write overflows + CVE-2017-7741, CVE-2017-7586, CVE-2017-7585 Author: Erik de Castro Lopo Origin: upstream Applied-Upstream: 1.0.28 Reviewed-by: IOhannes m zmölnig -Last-Update: 2017-04-03 +Last-Update: 2017-05-28 --- This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ --- libsndfile.orig/src/id3.c diff -Nru libsndfile-1.0.27/debian/patches/fix_flac_memleaks.patch libsndfile-1.0.27/debian/patches/fix_flac_memleaks.patch --- libsndfile-1.0.27/debian/patches/fix_flac_memleaks.patch 1970-01-01 01:00:00.000000000 +0100 +++ libsndfile-1.0.27/debian/patches/fix_flac_memleaks.patch 2017-05-28 22:52:39.000000000 +0200 @@ -0,0 +1,44 @@ +Description: fixing another memory leak in FLAC code + CVE-2017-8363 +Author: Erik de Castro Lopo +Origin: upstream +Applied-Upstream: https://github.com/erikd/libsndfile/commit/cd7da8dbf6ee4310d21d9e44b385d6797160d9e8 & https://github.com/erikd/libsndfile/commit/5206a9b65e61598fde44d276c81b0585bc428562 +Last-Update: 2017-05-28 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- libsndfile.orig/src/flac.c ++++ libsndfile/src/flac.c +@@ -430,8 +430,7 @@ + static void + sf_flac_meta_callback (const FLAC__StreamDecoder * UNUSED (decoder), const FLAC__StreamMetadata *metadata, void *client_data) + { SF_PRIVATE *psf = (SF_PRIVATE*) client_data ; +- FLAC_PRIVATE* pflac = (FLAC_PRIVATE*) psf->codec_data ; +- int bitwidth = 0, i ; ++ int bitwidth = 0 ; + + switch (metadata->type) + { case FLAC__METADATA_TYPE_STREAMINFO : +@@ -481,12 +480,6 @@ + + if (bitwidth > 0) + psf_log_printf (psf, " Bit width : %d\n", bitwidth) ; +- +- +- for (i = 0 ; i < psf->sf.channels ; i++) +- pflac->rbuffer [i] = calloc (FLAC__MAX_BLOCK_SIZE, sizeof (int32_t)) ; +- +- pflac->wbuffer = (const int32_t* const*) pflac->rbuffer ; + break ; + + case FLAC__METADATA_TYPE_VORBIS_COMMENT : +@@ -847,7 +840,9 @@ + + psf_log_printf (psf, "End\n") ; + +- if (psf->error == 0) ++ if (psf->error != 0) ++ FLAC__stream_decoder_delete (pflac->fsd) ; ++ else + { FLAC__uint64 position ; + + FLAC__stream_decoder_get_decode_position (pflac->fsd, &position) ; diff -Nru libsndfile-1.0.27/debian/patches/series libsndfile-1.0.27/debian/patches/series --- libsndfile-1.0.27/debian/patches/series 2017-04-04 15:33:45.000000000 +0200 +++ libsndfile-1.0.27/debian/patches/series 2017-05-28 22:52:39.000000000 +0200 @@ -1,2 +1,6 @@ fix_bufferoverflows.patch +CVE-2017-7742.patch +CVE-2017-8365.patch +fix_flac_memleaks.patch +CVE-2017-8362.patch fix_typos.patch